For those implementing gateways to perform tunneling versus
convert and forward, may I suggest that within any organization there
are users with varying degrees of security needs and various levels of
capabilities. From a consumer's point of view, any gateway installed
at my location would, by neccessity, tunnel anything and everything
to the systems operation staff. Our keys would never reside on the
server for any reason. On the otherhand, the secretaries would
vastly prefer that their mail leaves and arrives secure without
having to worry about key management, security, uucoding, MIME, or
whatever.
Exactly right. One possible solution here is to use multiple gateways -- an
outer one that does format conversions and always tunnels, along with
inner ones that perform sercurity operations at boundaries of
security enclaves.
If the gateway will maintain user keys (private keys at that), it
follows that a small profile of the user would be present as well.
In that event, the users' preferences for any of the proposed
techniques presented so far should be honored. Furthermore, local
administrative policy may mandate which divisions should be using
which settings.
It may be per user, per internal destination, or some combination of the two.
Policies for signature and encryption may also differ significantly. Consider
the case where the links are secure and thus no per-user encryption options are
needed, but per-user signatures are essential in terms of internal auditing and
confirmations.
Complex doesn't begin to describe it.
Ned